
<p><b>Background</b>

<br>
<a href="http://en.wikipedia.org/wiki/Open_Source_Tripwire">http://en.wikipedia.org/wiki/Open_Source_Tripwire</a>
<br>
<a href="http://www.thegeekstuff.com/2008/12/tripwire-tutorial-linux-host-based-intrusion-detection-system">
http://www.thegeekstuff.com/2008/12/tripwire-tutorial-linux-host-based-intrusion-detection-system</a>

<p><b>Preparation</b>

<p>To build packages from source eg. <tt>tripwire</tt>, we require <tt>make</tt> and GNU C/C++ compiler.
<pre>
yum install gcc gcc-c++ autoconf automake
</pre>

<p>Alternatively
<pre>
yum groupinstall "Development Tools"
</pre>

<b>Download</b>

<p>Download <tt>tripwire-2.4.2-src.tar.gz</tt> from sourceforge (<a href="http://sourceforge.net/projects/tripwire">http://sourceforge.net/projects/tripwire</a>).
</p>
<pre>[root@vbox1 ~]# tar xzvf tripwire-2.4.2-src.tar.gz
[root@vbox1 ~]# cd tripwire-2.4.2-src
[root@vbox1 tripwire-2.4.2-src]# ./configure --prefix /opt/tripwire
[root@vbox1 tripwire-2.4.2-src]# make install
</pre>

<p><b>Initialise database</b>

<pre>[root@vbox1 tripwire-2.4.2-src]# /opt/tripwire/sbin/tripwire --init -c /opt/tripwire/etc/tw.cfg
Please enter your local passphrase:
Parsing policy file: /opt/tripwire/etc/tw.pol
...
Wrote database file: /opt/tripwire/lib/tripwire/vbox1.twd
The database was successfully generated.
</pre>

<p><b>Schedule</b>

<pre>
[root@vbox1 tripwire-2.4.2-src]# crontab -e
03 2 * * * /opt/tripwire/sbin/tripwire --check -c /opt/tripwire/etc/tw.cfg | /usr/bin/mail root -s "Tripwire Check" 2&gt;&amp;1
</pre>

<p>Run the check to see what's changed since the <tt>--init</tt> command.

<pre>[root@vbox1 tripwire-2.4.2-src]# /opt/tripwire/sbin/tripwire --check -c /opt/tripwire/etc/tw.cfg
Parsing policy file: /opt/tripwire/etc/tw.pol
...
Modified:
...
</pre>

<p><b>Customise</b>

<p>Update policy eg. commenting out default directories that we don't have eg. <tt>/cdrom</tt>

</p>
<pre>[root@vbox1 ~]# vi /opt/tripwire/etc/twpol.txt
[root@vbox1 ~]# /opt/tripwire/sbin/tripwire --update-policy --secure-mode low -c /opt/tripwire/etc/tw.cfg /opt/tripwire/etc/twpol.txt
</pre>

